refactor: use GraphQL-only for GitLab permission verification with comprehensive test coverage

lib/resolve-config.js

@@ -23,6 +23,7 @@ export default (
       CI_PROJECT_URL,
       CI_PROJECT_PATH,
       CI_API_V4_URL,
+      CI_API_GRAPHQL_URL,
       GL_TOKEN,
       GITLAB_TOKEN,
       GL_URL,
@@ -59,6 +60,11 @@ export default (
         : service === "gitlab" && CI_API_V4_URL
           ? CI_API_V4_URL
           : urlJoin(defaultedGitlabUrl, isNil(userGitlabApiPathPrefix) ? "/api/v4" : userGitlabApiPathPrefix),
+    gitlabGraphQlApiUrl: userGitlabUrl
+      ? urlJoin(userGitlabUrl, "/graphql")
+      : service === "gitlab" && CI_API_GRAPHQL_URL
+        ? CI_API_GRAPHQL_URL
+        : urlJoin(defaultedGitlabUrl, "/graphql"),
     assets: assets ? castArray(assets) : assets,
     milestones: milestones ? castArray(milestones) : milestones,
     successComment,

lib/verify.js

@@ -30,7 +30,10 @@ export default async (pluginConfig, context) => {
     options: { repositoryUrl },
     logger,
   } = context;
-  const { gitlabToken, gitlabUrl, gitlabApiUrl, proxy, ...options } = resolveConfig(pluginConfig, context);
+  const { gitlabToken, gitlabUrl, gitlabApiUrl, gitlabGraphQlApiUrl, proxy, ...options } = resolveConfig(
+    pluginConfig,
+    context
+  );
   const { projectPath, projectApiUrl } = getProjectContext(context, gitlabUrl, gitlabApiUrl, repositoryUrl);
 
   debug("apiUrl: %o", gitlabApiUrl);
@@ -54,28 +57,59 @@ export default async (pluginConfig, context) => {
   }
 
   if (gitlabToken && projectPath) {
-    let projectAccess;
-    let groupAccess;
-
     logger.log("Verify GitLab authentication (%s)", gitlabApiUrl);
 
     try {
-      ({
-        permissions: { project_access: projectAccess, group_access: groupAccess },
-      } = await got
+      // First, get basic project information to ensure the project exists
+      await got
         .get(projectApiUrl, {
           headers: { "PRIVATE-TOKEN": gitlabToken },
           ...proxy,
         })
-        .json());
-      if (
-        context.options.dryRun &&
-        !((projectAccess && projectAccess.access_level >= 10) || (groupAccess && groupAccess.access_level >= 10))
-      ) {
+        .json();
+
+      // Use GraphQL to check user permissions
+      debug("Checking permissions via GraphQL");
+      const query = `
+        query {
+          project(fullPath: "${projectPath}") {
+            userPermissions {
+              pushToRepository
+              readRepository
+            }
+          }
+        }
+      `;
+
+      const graphqlResponse = await got
+        .post(gitlabGraphQlApiUrl, {
+          headers: {
+            "Private-Token": gitlabToken,
+            "Content-Type": "application/json",
+            Accept: "application/graphql-response+json",
+          },
+          json: { query },
+          ...proxy,
+        })
+        .json();
+
+      if (graphqlResponse.errors) {
+        debug("GraphQL query returned errors: %O", graphqlResponse.errors);
+        throw new Error(`GraphQL query failed: ${graphqlResponse.errors.map((e) => e.message).join(", ")}`);
+      }
+
+      const permissions = graphqlResponse.data?.project?.userPermissions;
+      if (!permissions) {
+        debug("No permissions data returned from GraphQL query");
+        throw new Error("Unable to determine permissions from GraphQL response");
+      }
+
+      debug("GraphQL permissions: %O", permissions);
+
+      // Check permissions based on GraphQL response
+      if (context.options.dryRun && !permissions.readRepository) {
         errors.push(getError("EGLNOPULLPERMISSION", { projectPath }));
-      } else if (
-        !((projectAccess && projectAccess.access_level >= 30) || (groupAccess && groupAccess.access_level >= 30))
-      ) {
+      } else if (!permissions.pushToRepository) {
         errors.push(getError("EGLNOPUSHPERMISSION", { projectPath }));
       }
     } catch (error) {

test/resolve-config.test.js

@@ -7,6 +7,7 @@ const defaultOptions = {
   gitlabToken: undefined,
   gitlabUrl: "https://gitlab.com",
   gitlabApiUrl: urlJoin("https://gitlab.com", "/api/v4"),
+  gitlabGraphQlApiUrl: urlJoin("https://gitlab.com", "/graphql"),
   assets: undefined,
   milestones: undefined,
   successComment: undefined,
@@ -41,6 +42,7 @@ test("Returns user config", (t) => {
       gitlabToken,
       gitlabUrl,
       gitlabApiUrl: urlJoin(gitlabUrl, gitlabApiPathPrefix),
+      gitlabGraphQlApiUrl: urlJoin(gitlabUrl, "/graphql"),
       assets,
       labels: false,
       retryLimit,
@@ -54,6 +56,7 @@ test("Returns user config", (t) => {
       gitlabToken,
       gitlabUrl,
       gitlabApiUrl: urlJoin(gitlabUrl, gitlabApiPathPrefix),
+      gitlabGraphQlApiUrl: urlJoin(gitlabUrl, "/graphql"),
       assets,
       proxy,
     }
@@ -77,6 +80,7 @@ test("Returns user config via environment variables", (t) => {
       gitlabToken,
       gitlabUrl,
       gitlabApiUrl: urlJoin(gitlabUrl, gitlabApiPathPrefix),
+      gitlabGraphQlApiUrl: urlJoin(gitlabUrl, "/graphql"),
       assets,
       milestones,
     }
@@ -96,6 +100,7 @@ test("Returns user config via alternative environment variables", (t) => {
       gitlabToken,
       gitlabUrl,
       gitlabApiUrl: urlJoin(gitlabUrl, gitlabApiPathPrefix),
+      gitlabGraphQlApiUrl: urlJoin(gitlabUrl, "/graphql"),
       assets,
       milestones: undefined,
       successComment: undefined,
@@ -223,6 +228,7 @@ test("Returns user config via alternative environment variables with mismatching
       gitlabToken: "TOKEN",
       gitlabUrl: "http://host.com",
       gitlabApiUrl: "http://host.com/api/prefix",
+      gitlabGraphQlApiUrl: "http://host.com/graphql",
       assets: ["file.js"],
     }
   );
@@ -245,6 +251,7 @@ test("Returns user config via alternative environment variables with mismatching
       gitlabToken: "TOKEN",
       gitlabUrl: "https://host.com",
       gitlabApiUrl: "https://host.com/api/prefix",
+      gitlabGraphQlApiUrl: "https://host.com/graphql",
       assets: ["file.js"],
     }
   );
@@ -387,6 +394,7 @@ test("Returns default config via GitLab CI/CD environment variables", (t) => {
       gitlabToken,
       gitlabUrl: "http://ci-host.com",
       gitlabApiUrl: CI_API_V4_URL,
+      gitlabGraphQlApiUrl: "http://ci-host.com/graphql",
     }
   );
 });
@@ -415,6 +423,7 @@ test("Returns user config over GitLab CI/CD environment variables", (t) => {
       gitlabToken,
       gitlabUrl,
       gitlabApiUrl: urlJoin(gitlabUrl, gitlabApiPathPrefix),
+      gitlabGraphQlApiUrl: urlJoin(gitlabUrl, "/graphql"),
       assets,
       failTitle: "The automated release unfortunately failed!",
       labels: "bot,release-failed",
@@ -450,6 +459,7 @@ test("Returns user config via environment variables over GitLab CI/CD environmen
       gitlabToken,
       gitlabUrl,
       gitlabApiUrl: urlJoin(gitlabUrl, gitlabApiPathPrefix),
+      gitlabGraphQlApiUrl: urlJoin(gitlabUrl, "/graphql"),
     }
   );
 });
@@ -482,6 +492,7 @@ test("Returns user config via alternative environment variables over GitLab CI/C
       gitlabToken,
       gitlabUrl,
       gitlabApiUrl: urlJoin(gitlabUrl, gitlabApiPathPrefix),
+      gitlabGraphQlApiUrl: urlJoin(gitlabUrl, "/graphql"),
     }
   );
 });